CH

C. Hernandez Ganan

info

Please Note

75 records found

Conference paper (2026) - Ryu Kuki, Takayuki Sasaki, Arwa Al Alsadi, Carlos Gañán, Katsunari Yoshioka
In recent years, while the threat of cyber attacks and malware targeting the vulnerabilities of the Internet of Things (IoT) has become more serious, various efforts have been made to mitigate the spread of these threats and the damage they cause. This study aims to understand the mechanisms behind the increase and decrease in HTTP-based exploits targeting IoT devices, and to verify the effectiveness of current prevention and mitigation measures. By integrating attack analysis observed in honeypots, collecting malware samples, and publicly available vulnerability information, we visualize the temporal changes in the number of attacks over the lifetime of vulnerabilities, and identify the impact of life events such as the release of the proof-of-concept (PoC) or the weaponization into malware on changes in attack trends. Comparing attack volumes for vulnerabilities discovered from 2008 to 2024, we discover differences in attack trends depending on the age of the device and vulnerability. Our results show that attacks targeting new devices with adequate security measures tend to decrease relatively quickly, while attacks targeting older devices with inadequate measures often persist until the end of the device's life, by being weaponized in malware. These findings confirm that existing security measures are effective to a limited extent, but at the same time, they also show that continuous improvement and proactive measures are necessary to prevent the exploitation of vulnerabilities from continuing for long periods of time. ...

Still Accurate a Decade Later?

Conference paper (2026) - Radu Anghel, Carlos Gañán, Yury Zhauniarovich
PeeringDB consists of self-reported data and is widely used to facilitate network interconnection, automation, and research, often serving as a ground truth source. However, the accuracy of its data remains a significant concern. In this study, we evaluate the reliability of PeeringDB using a dataset from January 2025. Our analysis finds certain inconsistencies in key data elements. We identified ASNs that remain present in the database despite no longer being assigned. Analysis of self-reported network types reveals that 28.58% of networks either do not report a type or choose not to disclose it, challenging its use to support interconnection decisions. Further comparison of the available network types against their equivalent classifications from ASdb and IPinfo shows considerable disagreement. Manual validation of networks in the "Government"category reveals that only 77.10% of ASNs provided accurate network type. Finally, the consistency check of self-reported prefix counts with routing data from RIPE RIS and CAIDA ASRank indicated significant inconsistencies. Our findings underscore the need for enhanced validation mechanisms to improve the reliability of data provided by PeeringDB for improving its research and operational uses. ...

A software framework to ensure reproducibility in algorithmically generated domains detection

Journal article (2025) - Tomás Pelayo-Benedet, Ricardo J. Rodríguez, Carlos H. Gañán
As part of its life cycle, malware can establish communication with its command and control server. To bypass static protection techniques, such as blocking certain IPs in firewalls or DNS server deny lists, malware can use algorithmically generated domains (AGD). Many different solutions based on deep learning have been proposed during the last years to detect this type of domains. However, there is a lack of ability to compare the proposed models because there is no common framework that allows experiments to be replicated under the same conditions. Each previous work shows its evaluation results, but under different experimentation conditions and even with different datasets. In this paper, we address this gap by proposing a software framework, dubbed Rampage (fRAMework to comPAre aGd dEtectors), focused on training and comparing machine learning models for AGD detection. Furthermore, we propose a new model that uses logistic regression and, using Rampage to obtain a fair comparison with different state-of-the-art models, achieves slightly better results than those obtained so far. In addition, the dataset built from real-world samples for evaluation, as well as the source code of Rampage, are also publicly released to facilitate its use and promote experimental reproducibility in this research field. ...

Overcoming limitations of TabPFN in IIoT-MEC environments with a weighted fusion ensemble-TabPFN model for improved IDS performance

Journal article (2025) - Sergio Ruiz-Villafranca, José Roldán-Gómez, Javier Carrillo-Mondéjar, José Luis Martinez, Carlos H. Gañán
In recent years we have seen the emergence of new industrial paradigms such as Industry 4.0/5.0 or the Industrial Internet of Things (IIoT). As the use of these new paradigms continues to grow, so do the number of threats and exploits that they face, which makes the IIoT a desirable target for cybercriminals. Furthermore, IIoT devices possess inherent limitations, primarily due to their limited resources. As a result, it is often impossible to detect attacks using solutions designed for other environments. Recently, Intrusion Detection Systems (IDS) based on Machine Learning (ML) have emerged as a solution that takes advantage of the large amount of data generated by IIoT devices to implement their functionality and achieve good performance, and the inclusion of the Multi-Access Edge Computing (MEC) paradigm in these environments provides the necessary computational resources to deploy IDS effectively. Furthermore, TabPFN has been considered as an attractive option for solving classification problems without the need to reprocess the data. However, TabPFN has certain drawbacks when it comes to the number of training samples and the maximum number of different classes that the model is capable of classifying. This makes TabPFN unsuitable for use when the dataset exceeds one of these limitations. In order to overcome such limitations, this paper presents a Weighted Fusion-Ensemble-based TabPFN (WFE-Tab) model to improve IDS performance in IIoT-MEC scenarios. The presented study employs a novel weighted fusion method to preprocess data into multiple subsets, generating different ensemble family TabPFN models. The resulting WFE-Tab model comprises four stages: data collection, data preprocessing, model training, and model evaluation. The performance of the WFE-Tab method is evaluated using key metrics such as Accuracy, Precision, Recall, and F1-Score, and validated using the Edge-IIoTset public dataset. The performance of the method is then compared with baseline and modern methods to evaluate its effectiveness, achieving an F1-Score performance of 99.81%. ...

Piecing Together Factors of IoT Vulnerability Exploitation

Conference paper (2025) - Arwa Abdulkarim Al Alsadi, Mathew Vermeer, Takayuki Sasaki, Katsunari Yoshioka, Michel Van Eeten, Carlos Gañán
The proliferation of Internet of Things (IoT) devices has led to a surge in vulnerabilities, with traditional metrics like CVSS and PoC exploits failing to fully explain exploitation patterns. To address this, we leverage features from the-state-of-the-art prediction model EPSS – such as CVSS, CWE, vendors, external references, vulnerability age, and PoCs – and combine it with new features derived from hacking communities. Our study of 23,373 IoT-related CVEs and 25k posts from 25 hacking forums highlights the importance of including insights on attacker behavior from discussions involving vulnerabilities. We identified 38 features with a p-value < 0.05 that impact attackers’ selection of IoT vulnerabilities. We use two metrics to evaluate our model with features from hacking forums: McFadden’s pseudo R2, which showed a 21% improvement in explaining variance, and the Brier score for prediction accuracy, with a 17% improvement over EPSS. These results emphasize that current state-of-the-art methods struggle to capture the distinct nuances and complexity of IoT threats, and incorporating available information such as insights into attacker behavior can enhance the factors influencing the targeting of IoT vulnerability better. ...

Exploring the potential of Large Language Models for detecting Algorithmically Generated Domains

Journal article (2025) - Tomás Pelayo-Benedet, Ricardo J. Rodríguez, Carlos H. Gañán
Algorithmically Generated Domains (AGDs) are integral to many modern malware campaigns, allowing adversaries to establish resilient command and control channels. While machine learning techniques are increasingly employed to detect AGDs, the potential of Large Language Models (LLMs) in this domain remains largely underexplored. In this paper, we examine the ability of nine commercial LLMs to identify malicious AGDs, without parameter tuning or domain-specific training. We evaluate zero-shot approaches and few-shot learning approaches, using minimal labeled examples and diverse datasets with multiple prompt strategies. Our results show that certain LLMs can achieve detection accuracy between 77.3% and 89.3%. In a 10-shot classification setting, the largest models excel at distinguishing between malware families, particularly those employing hash-based generation schemes, underscoring the promise of LLMs for advanced threat detection. However, significant limitations arise when these models encounter real-world DNS traffic. Performance degradation on benign but structurally suspect domains highlights the risk of false positives in operational environments. This shortcoming has real-world consequences for security practitioners, given the need to avoid erroneous domain blocking that disrupt legitimate services. Our findings underscore the practicality of LLM-driven AGD detection, while emphasizing key areas where future research is needed (such as more robust warning design and model refinement) to ensure reliability in production environments. ...

Explaining the Persistence of Sub-optimal IoT Security Advice

The proliferation of consumer Internet of Things (IoT) devices has raised security concerns. In response, governments have been advising consumers on security measures, but these recommendations are not guaranteed to be implementable owing to the diverse and rapidly evolving IoT landscape, risking wasted efforts and uncertainty caused by unsuccessful attempts to secure devices. Through interviews and a workshop with 14 stakeholders involved in a Dutch national public awareness campaign, we found that while stakeholders recognized the validity of these concerns, they opted to continue the campaign with minor modifications while expecting regulatory changes to resolve the observed problem. Their justifications reveal an institutional incentive structure that overlooks well-documented user realities in security and privacy HCI research. This raises important considerations for the design and delivery of such support strategies. By fostering a collaborative dialogue, we aim to contribute to the development of user-centered security practices. ...
Exposing intrusion campaigns has become a geopolitical tool, with governments and commercial firms publishing threat intelligence reports about hacking attempts and modus operandi. U.S. government officials have explained this as not just a defensive practice but also as a way to ‘impose cost’ on attackers by forcing them to develop new infrastructure, tools, and techniques, consuming their scarce resources. We empirically examine this claim by analyzing attacker behavior before and after the publication of indicators of compromise (IOCs). Using IOC feeds from two leading commercial providers – deemed to best enable detection of sophisticated threats – we matched IOCs against a large dataset of real-world network traffic metadata. This enabled us to generate sightings retroactively, capturing malicious activity up to 150 days before and after publication. Unlike prior work focused on post-publication malicious activity, our method provides a more complete view over time. Our results show that most IOCs point to resources that attackers had already abandoned by the time of IOC publication, limiting their utility for detecting ongoing attacks and undermining the idea of ‘imposing costs’. Statistical modeling further reveals that publication status has low explanatory power for sightings, suggesting that confounding variables exist. We also observed a 30-day delay between the peak of threat actor activity and IOC publication for one provider. This study is the first empirical assessment linking threat intelligence publication to attacker behavior, bridging computer science and international relations. ...
Journal article (2024) - Esteban Damián Gutiérrez Mlot, Jose Saldana, Ricardo J. Rodríguez, Igor Kotsiuba, Carlos Gañán
The growing integration of Information and Communication Technology into Operational Technology environments in electrical substations exposes them to new cybersecurity threats. This paper presents a comprehensive dataset of substation traffic, aimed at improving the training and benchmarking of Intrusion Detection Systems (IDS) installed in these facilities that are based on machine learning techniques. The dataset includes raw network captures and flows from real substations, filtered and anonymized to ensure privacy. It covers the main protocols and standards used in substation environments: IEC61850, IEC104, NTP, and PTP. Additionally, the dataset includes traces obtained during several cyberattacks, which were simulated in a controlled laboratory environment, providing a rich resource for developing and testing machine learning models for cybersecurity applications in substations. A set of complementary tools for dataset creation and preprocessing are also included to standardize the methodology, ensuring consistency and reproducibility. In summary, the dataset addresses the critical need for high-quality, targeted data for tuning IDS at electrical substations and contributes to the advancement of secure and reliable power distribution networks. ...

Empirical Analysis of Lifespan Increase of IoT C&C Domains

Conference paper (2024) - Daniel Uroz, Ricardo J. Rodríguez, Carlos H. Gañán
The increasing prevalence of Internet of Things (IoT) devices have made them attractive targets for malware, highlighting the critical need to understand the dynamics of IoT Command and Control (C&C). While previous research observed short-lived C&Cs, recent observations indicate that the lifespan of domain names linked to IoT botnets is extending, deviating from previously recorded survival rates. To understand and characterize this emerging trend, we collected and examined 1049 IoT malware samples from late 2022 to early 2023, identifying 549 unique domains contacted by these samples. Domains were classified as malicious if detected by VirusTotal or followed a Domain Generation Algorithm pattern. Using data from WhoisXMLAPI and DNSDB Scout, we analyzed registration information and historical DNS resolutions, and identified relationships. Our findings reveal that the majority of C&C domains belong to Qsnatch and Mirai malware families, with an average lifespan of 2.7 years. Notably, seven active domains had an average lifespan of 5.7 years. We also observed a significant number of domains under the .vg and .ws TLDs, but with lack of passive DNS and registration information. ...

The Use of UTRS in Combating DDoS Attacks

Conference paper (2024) - Radu Anghel, Swaathi Vetrivel, Elsa Turcios Rodriguez, Kaichi Sameshima, Daisuke Makita, Katsunari Yoshioka, Carlos Gañán, Yury Zhauniarovich
Remotely Triggered Black Hole (RTBH) is a common DDoS mitigation approach that has been in use for the last two decades. Usually, it is implemented close to the attack victim in networks sharing some type of physical connectivity. The Unwanted Traffic Removal Service (UTRS) project offers a free, global, and relatively low-effort-to-join and operate RTBH alternative by removing the requirement of physical connectivity. Given these unique value propositions of UTRS, this paper aims to understand to what extent UTRS is adopted and used to mitigate DDoS attacks. To reach this goal, we collected two DDoS datasets describing amplification and Internet-of-Things-botnet-driven attacks and correlated them with the information from the third dataset containing blackholing requests propagated to the members of UTRS. Our findings suggest that, currently, just a small portion of UTRS members (approximately 10 % ) trigger mitigation attempts: out of 1200+ UTRS members, only 124 triggered blackholing events during our study. Among those, with high probability, 25 Autonomous Systems (ASes) reacted on AmpPot attacks mitigating 0.025 % of them globally or 1.03 % targeting UTRS members; 2 countered IoT-botnet-driven attacks alleviating 0.001 % of them globally or 0.06 % targeting UTRS members. This suggests that UTRS can be a useful tool in mitigating DDoS attacks, but it is not widely used. ...
Journal article (2024) - Radu Anghel, Yury Zhauniarovich, Carlos Gañán
Distributed Denial-of-Service (DDoS) attacks continue to threaten the availability of Internet-based services. While countermeasures exist to decrease the impact of these attacks, not all operators have the resources or knowledge to deploy them. Alternatively, anti-DDoS services such as DDoS clearing houses and blackholing have emerged. Unwanted Traffic Removal Service (UTRS), being one of the oldest community-based anti-DDoS services, has become a global free collaborative service that aims at mitigating major DDoS attacks through the Border Gateway Protocol (BGP). Once the BGP session with UTRS is established, UTRS members can advertise part of the prefixes belonging to their AS to UTRS. UTRS will forward them to all other participants, who, in turn, should start blocking traffic to the advertised IP addresses. In this paper, we develop and evaluate a methodology to automatically detect UTRS participation in the wild. To this end, we deploy a measurement infrastructure and devise a methodology to detect UTRS-based traffic blocking. Using this methodology, we conducted a longitudinal analysis of UTRS participants over ten weeks. Our results show that at any point in time, there were 562 participants, including multihomed, stub, transit, and IXP ASes. Moreover, we surveyed 245 network operators to understand why they would (not) join UTRS. Results show that threat and coping appraisal significantly influence the intention to participate in UTRS. ...

An IP Address Attribution Service for Working with Historic Datasets

Conference paper (2023) - Florian Streibelt, Martina Lindorfer, Seda Gürses, Carlos H. Gañán, Tobias Fiebig
Researchers and practitioners often face the issue of having to attribute an IP address to an organization. For current data this is comparably easy, using services like whois or other databases. Similarly, for historic data, several entities like the RIPE NCC provide websites that provide access to historic records. For large-scale network measurement work, though, researchers often have to attribute millions of addresses. For current data, Team Cymru provides a bulk whois service which allows bulk address attribution. However, at the time of writing, there is no service available that allows historic bulk attribution of IP addresses. Hence, in this paper, we introduce and evaluate our ‘Back-to-the-Future whois’ service, allowing historic bulk attribution of IP addresses on a daily granularity based on CAIDA Routeviews aggregates. We provide this service to the community for free, and also share our implementation so researchers can run instances themselves. ...

A User Study of Recovery from Flubot Smartphone Malware

The smishing-based malware Flubot was taken down in mid-2022, yet there is little understanding of how it directly impacted smartphone users. We engage with customers of a partner Internet Service Provider (ISP), who have suffered a Flubot infection on their smartphones. We surveyed 87 ISP customers who had been notified of a Flubot infection, in the months around and preceding the take-down of Flubot. We found that slightly over half of respondents were unaware of the malware infection before being notified, though many others had suspicions. We also observe that just over half of respondents experienced non-technical harms from the malware, with many experiencing harms before notification and several experiencing unwanted or aggressive activity from users of other infected devices. Many respondents reported not having removed the malware, while some discarded the infected device or stopped using online services in their efforts to be more secure afterwards. We offer recommendations, including that clearer guidance be sought to help users identify a malware infection (and not a focus only on prevention), and support provided for recovery from personal harms caused by mobile malware, as the impacts are not only technical. ...
Book chapter (2023) - T. Fiebig, F.S. Gürses, C. Hernandez Ganan, E. Kotkamp, F.A. Kuipers, Martina Lindorfer, M.M.G.C. Prisse, P.T. Sari
With the emergence of remote education and work in universi- ties due to COVID-19, the ‘zoomification’ of higher education, i.e., the migration of universities to the clouds, reached the public dis- course. Ongoing discussions reason about how this shift will take control over students’ data away from universities, and may ulti- mately harm the privacy of researchers and students alike. How- ever, there has been no comprehensive measurement of universi- ties’ use of public clouds and reliance on Software-as-a-Service of- ferings to assess how far this migration has already progressed. We perform a longitudinal study of the migration to public clouds among universities in the U.S. and Europe, as well as institutions listed in the Times Higher Education (THE) Top100 between Jan- uary 2015 and October 2022. We find that cloud adoption differs between countries, with one cluster (Germany, France, Austria, Switzerland) showing a limited move to clouds, while the other (U.S., U.K., the Netherlands, THE Top100) frequently outsources universities’ core functions and services—starting long before the COVID-19 pandemic. We attribute this clustering to several socio- economic factors in the respective countries, including the general culture of higher education and the administrative paradigm taken towards running universities. We then analyze and interpret our results, finding that the implications reach beyond individuals’ pri- vacy towards questions of academic independence and integrity. ...
Conference paper (2023) - Florian Streibelt, Patrick Sattler, Franziska Lichtblau, Carlos H. Gañán, Anja Feldmann, Oliver Gasser, Tobias Fiebig
DNS is one of the core building blocks of the Internet. In this paper, we investigate DNS resolution in a strict IPv6-only scenario and find that a substantial fraction of zones cannot be resolved. We point out, that the presence of an AAAA resource record for a zone’s nameserver does not necessarily imply that it is resolvable in an IPv6-only environment since the full DNS delegation chain must resolve via IPv6 as well. Hence, in an IPv6-only setting zones may experience an effect similar to what is commonly referred to as lame delegation. Our longitudinal study shows that the continuing centralization of the Internet has a large impact on IPv6 readiness, i.e., a small number of large DNS providers has, and still can, influence IPv6 readiness for a large number of zones. A single operator that enabled IPv6 DNS resolution–by adding IPv6 glue records–was responsible for around 20.3% of all zones in our dataset not resolving over IPv6 until January 2017. Even today, 10% of DNS operators are responsible for more than 97.5% of all zones that do not resolve using IPv6. ...

DNS Response Manipulation in the Wild

Conference paper (2023) - Yevheniya Nosyk, Qasim Lone, Yury Zhauniarovich, Carlos H. Gañán, Emile Aben, Giovane C.M. Moura, Samaneh Tajalizadehkhoob, Andrzej Duda, Maciej Korczyński
DNS is a protocol responsible for translating human-readable domain names into IP addresses. Despite being essential for many Internet services to work properly, it is inherently vulnerable to manipulation. In November 2021, users from Mexico received bogus DNS responses when resolving whatsapp.net. It appeared that a BGP route leak diverged DNS queries to the local instance of the k-root located in China. Those queries, in turn, encountered middleboxes that injected fake DNS responses. In this paper, we analyze that event from the RIPE Atlas point of view and observe that its impact was more significant than initially thought—the Chinese root server instance was reachable from at least 15 countries several months before being reported. We then launch a nine-month longitudinal measurement campaign using RIPE Atlas probes and locate 11 probes outside China reaching the same instance, although this time over IPv6. More broadly, motivated by the November 2021 event, we study the extent of DNS response injection when contacting root servers. While only less than 1% of queries are impacted, they originate from 7% of RIPE Atlas probes in 66 countries. We conclude by discussing several countermeasures that limit the probability of DNS manipulation. ...

SOC Workflows and Decisions in the Management of NIDS Rules

Signature-based network intrusion detection systems (NIDSs) and network intrusion prevention systems (NIPSs) remain at the heart of network defense, along with the rules that enable them to detect threats. These rules allow Security Operation Centers (SOCs) to properly defend a network, yet we know almost nothing about how rules are created, evaluated and managed from an organizational standpoint. In this work, we analyze the processes surrounding the creation, management, and acquisition of rules for network intrusion detection. To understand these processes, we conducted interviews with 17 professionals who work at Managed Security Service Providers (MSSPs) or other organizations that provide network monitoring as a service or conduct their own network monitoring internally. We discovered numerous critical factors, such as rule specificity and total number of alerts and false positives, that guide SOCs in their rule management processes. These lower-level aspects of network monitoring processes have generally been regarded as immutable by prior work, which has mainly focused on designing systems that handle the resulting alert flows by dynamically reducing the number of noisy alerts SOC analysts need to sift through. Instead, we present several recommendations that address these lower-level aspects to help improve alert quality and allow SOCs to better optimize workflows and use of available resources. These recommendations include increasing the specificity of rules, explicitly defining feedback loops from detection to rule development, and setting up organizational processes to improve the transfer of tacit knowledge. ...

Analyzing the target selection of IoT vulnerabilities in malware binaries

Conference paper (2023) - Arwa Abdulkarim Al Alsadi, Kaichi Sameshima, Katsunari Yoshioka, Michel van Eeten, Carlos H. Gañán
For years, attackers have exploited vulnerabilities in Internet of Things (IoT) devices. Previous research has examined target selection in cybercrime, but there has been little investigation into the factors that influence target selection in attacks on IoT. This study aims to better understand how attackers choose their targets by analyzing the frequency of specific exploits in 11,893 IoT malware binaries that were distributed between 2018-2021. Our findings indicate that 78% of these binary files did not specifically target IoT vulnerabilities but rather scanned the Internet for devices with weak authentication. To understand the usage of exploits in the remaining 2,629 binaries, we develop a theoretical model from relevant literature to examine the impact of four latent variables, i.e. exposure, vulnerability, exploitability, and patchability. We collect indicators to measure these variables and find that they can explain to a significant extent (?2=0.38) why some vulnerabilities are more frequently exploited than others. The severity of vulnerabilities does not significantly increase the frequency with which they are targeted, while the presence of Proof-of-Concept exploit code does increase it. We also observe that the availability of a patch reduces the frequency of being targeted, yet that more complex patches are associated with higher frequency. In terms of exposure, more widespread device models are more likely to be targeted by exploits. We end with recommendations to disincentivize attackers from targeting vulnerabilities. ...
Conference paper (2022) - X.B. Bouwman, Victor Le Pochat, Pawel Foremski, Tom Van Goethem, C. Hernandez Ganan, Giovane C.M. Moura, Samaneh Tajalizadehkhoob, Wouter Joosen, M.J.G. van Eeten
We tracked the largest volunteer security information sharing community known to date: the COVID-19 Cyber Threat Coalition, with over 4,000 members. This enabled us to address long-standing questions on threat information sharing. First, does collaboration at scale lead to better coverage? And second, does making threat data freely available improve the ability of defenders to act? We found that the CTC mostly aggregated existing industry sources of threat information. User-submitted domains often did not make it to the CTC's blocklist as a result of the high threshold posed by its automated quality assurance using VirusTotal. Although this ensured a low false positive rate, it also caused the focus of the blocklist to drift away from domains related to COVID-19 (1.4%-3.6%) to more generic abuse, such as phishing, for which established mitigation mechanisms already exist. However, in the slice of data that was related to COVID-19, we found promising evidence of the added value of a community like the CTC: just 25.1% of these domains were known to existing abuse detection infrastructures at time of listing, as compared to 58.4% of domains on the overall blocklist. From the unique experiment that the CTC represented, we draw three lessons for future threat data sharing initiatives. ...